Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Unable to open NIFI web UI after TLS

avatar

Hi All,

 

I enabled TLS for NIFI web UI ( CDF ) , while services are running fine on cluster I'm unable to access NIFI web UI from my browser. Below are the steps I followed please suggest what might be causing issue ?

 

I repeated below steps for all the machines in my nifi cluster

 

1. Received signed host certificate from IT team ( <hostname>.pem ) , also rootca (root.pem)

2. Copy the JDK cacerts file to jssecacerts as follows:

 

 

sudo cp $JAVA_HOME/jre/lib/security/cacerts $JAVA_HOME/jre/lib/security/jssecacerts

 

 

3. import rootca cert into JKS store

 

 

sudo $JAVA_HOME/bin/keytool -importcert -alias rootca -keystore $JAVA_HOME/jre/lib/security/jssecacerts -file /opt/cloudera/security/pki/root.pem

 

 

4. Created JKS and imported host certificate in keystore.

 

 

$JAVA_HOME/bin/keytool -genkeypair -alias $(hostname -f) -keyalg RSA -keystore /opt/cloudera/security/pki/$(hostname -f).jks -keysize 2048 -dname "CN=$(hostname -f),OU=Engineering,O=Cloudera,L=Singapore,ST=Singapore,C=Singapore" -ext san=dns:$(hostname -f)
sudo $JAVA_HOME/bin/keytool -importcert -alias $(hostname -f) -file /opt/cloudera/security/pki/$(hostname -f).pem -keystore /opt/cloudera/security/pki/$(hostname -f).jks

 

 

5. creating symlinks

 

 

sudo ln -s /opt/cloudera/security/pki/$(hostname -f).pem /opt/cloudera/security/pki/agent.pem

sudo ln -s /opt/cloudera/security/pki/$(hostname -f).jks /opt/cloudera/security/pki/server.jks

 

 

6. Enabled TLS from Cloudera Manager for NIFI

nif_tls.PNGnifi_cm_ssl.PNG

7. Restarted services from Cloudera manager 

nifi_health.PNG

 

8. Unable to access from Browser 

 

nifi_tls_issue.PNG

 

 

4 ACCEPTED SOLUTIONS

avatar
Super Mentor
hide-solution

This problem has been solved!

Want to get a detailed solution you have to login/registered on the community

Register/Login

avatar
Super Mentor
hide-solution

This problem has been solved!

Want to get a detailed solution you have to login/registered on the community

Register/Login

avatar
Super Mentor
hide-solution

This problem has been solved!

Want to get a detailed solution you have to login/registered on the community

Register/Login

avatar
Super Mentor
hide-solution

This problem has been solved!

Want to get a detailed solution you have to login/registered on the community

Register/Login
13 REPLIES 13

avatar
Super Mentor
hide-solution

This problem has been solved!

Want to get a detailed solution you have to login/registered on the community

Register/Login

avatar

Hi @MattWho  I have checked configurations as mentioned by you but still I'm stuck at same issue, can you advise ?

avatar

I'm stuck user certificate step if someone can help to understand on how to get these certs 

 

my nifi UI give "Insufficient Permissions"

 

avatar
Super Mentor
hide-solution

This problem has been solved!

Want to get a detailed solution you have to login/registered on the community

Register/Login

avatar

@MattWho  I added client certificate in my browser . Below are steps i followed

 

I setup initial admin indentity in nifi conf as "Admin"

Got client cert for "Admin" from IT team

added cert in my browser.

 

Below is logline from my nifi-user.log.

 

"2020-02-10 11:18:54,677 INFO [main] o.a.n.a.FileAccessPolicyProvider Populating authorizations for Initial Admin: Admin
2020-02-10 11:18:54,693 INFO [main] o.a.n.a.FileAccessPolicyProvider Authorizations file loaded at Mon Feb 10 11:18:54 SGT 2020
2020-02-10 11:19:12,609 INFO [NiFi Web Server-48] o.a.n.w.a.c.IllegalStateExceptionMapper java.lang.IllegalStateException: Kerberos ticket login not supported by this NiFi.. Returning Conflict response.
2020-02-10 11:19:12,641 INFO [NiFi Web Server-36] o.a.n.w.a.c.IllegalStateExceptionMapper java.lang.IllegalStateException: OpenId Connect is not configured.. Returning Conflict response."

2020-02-10 11:19:12,666 INFO [NiFi Web Server-48] o.a.n.w.s.NiFiAuthenticationFilter Attempting request for (CN=nifi-host1, OU=nifi, O=Liongate, L=nifi, ST=SG, C=SG) GET https://localhost:8443/nifi-api/flow/current-user (source ip: <ip>)
2020-02-10 11:19:12,673 INFO [NiFi Web Server-48] o.a.n.w.s.NiFiAuthenticationFilter Authentication success for CN=nifi-host1, OU=nifi, O=nifi, L=SG, ST=SG, C=SG
2020-02-10 11:19:12,738 INFO [NiFi Web Server-48] o.a.n.w.a.c.AccessDeniedExceptionMapper identity[CN=nifi-host1, OU=nifi, O=nifi, L=SG, ST=SG, C=SG], groups[] does not have permission to access the requested resource. Unable to view the user interface. Returning Forbidden response.
2020-02-10 11:22:11,245 INFO [main] o.a.n.a.FileUserGroupProvider Users/Groups file loaded at Mon Feb 10 11:22:11 SGT 2020

avatar
Super Mentor
hide-solution

This problem has been solved!

Want to get a detailed solution you have to login/registered on the community

Register/Login

avatar

@MattWho 

 

thanks for the inputs I was able to resolve user certificate issue, but my UI is stuck with below issue. I'nifi_ui_error_tls.PNGm not sure why its still referring to http port. It's kind of weird , can you please advise ?

 

java.net.ConnectException: Failed to connect to hostname/ip:8080

avatar
Super Mentor
hide-solution

This problem has been solved!

Want to get a detailed solution you have to login/registered on the community

Register/Login

avatar

@MattWho ill try to delete local state directory and restart nodes , is there anything else I should look into ?